diff options
author | Rushan Chen <rushan.chen@mongodb.com> | 2021-12-15 10:36:27 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-12-15 11:24:31 +0000 |
commit | e0d5fbeb1075e0ab903a190e514d19239c5e9c0d (patch) | |
tree | 9b70a908b8f8652f1c0fc91bbd91814fba94303d | |
parent | 85ce0c4d704abe540242dca01f8d5b86d15d55ce (diff) | |
download | mongo-e0d5fbeb1075e0ab903a190e514d19239c5e9c0d.tar.gz |
SERVER-61931 add additional privileges on system_buckets collection for cluster manager role
-rw-r--r-- | src/mongo/db/auth/builtin_roles.cpp | 3 | ||||
-rw-r--r-- | src/mongo/db/auth/builtin_roles_test.cpp | 26 |
2 files changed, 28 insertions, 1 deletions
diff --git a/src/mongo/db/auth/builtin_roles.cpp b/src/mongo/db/auth/builtin_roles.cpp index d210914a6f9..74461687ad5 100644 --- a/src/mongo/db/auth/builtin_roles.cpp +++ b/src/mongo/db/auth/builtin_roles.cpp @@ -457,6 +457,9 @@ void addClusterManagerPrivileges(PrivilegeVector* privileges) { Privilege(ResourcePattern::forAnyNormalResource(), clusterManagerRoleDatabaseActions)); Privilege::addPrivilegeToPrivilegeVector( privileges, + Privilege(ResourcePattern::forAnySystemBuckets(), clusterManagerRoleDatabaseActions)); + Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege(ResourcePattern::forDatabaseName("config"), clusterManagerRoleDatabaseActions)); Privilege::addPrivilegeToPrivilegeVector( privileges, diff --git a/src/mongo/db/auth/builtin_roles_test.cpp b/src/mongo/db/auth/builtin_roles_test.cpp index 283c7f57df7..3ae43f1c2a6 100644 --- a/src/mongo/db/auth/builtin_roles_test.cpp +++ b/src/mongo/db/auth/builtin_roles_test.cpp @@ -92,7 +92,7 @@ TEST(BuiltinRoles, getBuiltinRolesForDB) { ASSERT_GTE(adminRoles.size(), testRoles.size()); } -TEST(BuiltinRoles, addPrivilegsForBuiltinRole) { +TEST(BuiltinRoles, addPrivilegesForBuiltinRole) { PrivilegeVector privs; ASSERT(auth::addPrivilegesForBuiltinRole(RoleName("read", "admin"), &privs)); ASSERT_EQ(privs.size(), 2); @@ -120,5 +120,29 @@ TEST(BuiltinRoles, addPrivilegsForBuiltinRole) { } } +TEST(BuiltinRoles, addSystemBucketsPrivilegesForBuiltinRoleClusterManager) { + PrivilegeVector privs; + ASSERT(auth::addPrivilegesForBuiltinRole(RoleName("clusterManager", "admin"), &privs)); + ASSERT_EQ(privs.size(), 9); + + const auto systemBucketsResourcePattern = ResourcePattern::forAnySystemBuckets(); + + const ActionSet clusterManagerRoleDatabaseActionSet({ + ActionType::clearJumboFlag, + ActionType::splitChunk, + ActionType::moveChunk, + ActionType::enableSharding, + ActionType::splitVector, + ActionType::refineCollectionShardKey, + ActionType::reshardCollection, + }); + + for (const auto& priv : privs) { + auto resourcePattern = priv.getResourcePattern(); + if (resourcePattern == systemBucketsResourcePattern) { + ASSERT(priv.getActions() == clusterManagerRoleDatabaseActionSet); + } + } +} } // namespace } // namespace mongo |